Martin Kosek wrote:
On Fri, 2011-09-23 at 14:12 -0400, Rob Crittenden wrote:
Always require SSL in the Kerberos authorization block.
This also corrects a slight bug where if add is True then we always
re-update the file.
rob
ACK. Pushed to master, ipa-2-1.
Martin
Sorry guys, this breaks things pretty badly. We need to be able to allow
some non-SSL access to parts of /ipa to fetch configuration and return
errors, etc. for those clients that don't trust our CA yet.
Here is a working change, not fully tested yet:
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 2339387..09b4b7a 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -42,10 +42,17 @@ WSGIScriptReloading Off
SetHandler None
</Location>
+# Ensure SSL is enabled in our APIs
+<Location "/ipa/xml">
+ NSSRequireSSL
+</Location>
+<Location "/ipa/json">
+ NSSRequireSSL
+</Location>
+
# Protect /ipa with Kerberos
<Location "/ipa">
- NSSRequireSSL
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate on
@@ -114,6 +121,7 @@ Alias /ipa/ui "/usr/share/ipa/ui"
# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
+ NSSRequireSSL
AllowOverride None
Satisfy Any
Allow from all
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel